Can cybersecurity innovations qualify for R&D tax credits [2026]?

As cybersecurity threats evolve, businesses tackling them are increasingly adapting to stay ahead of the problem. Many businesses in the field don’t realise their innovative work qualifies under HMRC’s R&D scheme, missing out on large sums of money in R&D tax credits.

Cybersecurity innovation and R&D are closely linked, which means you could get a tax rebate or cash payment to offset the costs of some of your work, even if you made a loss.

From April 2024, the SME scheme and R&D expenditure credit (RDEC) have been combined into one R&D merged scheme, streamlining rules while keeping ERIS as a separate support route.

Find out more about cybersecurity R&D eligibility UK – which industry-specific projects qualify, how to avoid pitfalls, and the evidence you need to claim R&D tax relief for cybersecurity successfully.

Why Does Cybersecurity Innovation Matter for R&D Tax Credits?

Cybersecurity falls into the category of software development R&D. 

Cyber is going through a unique pace of change compared to other software industries – constantly changing to keep hackers at bay.

This constant need for experimentation and problem-solving makes it perfectly fit the DSIT guidelines under HMRC’s definition of R&D:

1. Innovation – Cybersecurity is inherently innovative because it’s always evolving and changing
2. Science and technology – Cybersecurity clearly falls into the category of science and technology
3. Uncertainty – Cybersecurity directly contributes to this advance in science and technology by resolving uncertainty

Cybersecurity research and development tax credits may also have certain indirect qualifying activities which don’t directly solve the technological uncertainty, but are still essential to the project’s completion.

Which Cybersecurity Projects Qualify as R&D?

There are a wide range of cybersecurity projects which qualify for R&D tax relief for software projects.

Cryptography & Encryption

Cryptography and encryption can qualify for R&D tax credits in a number of ways:

• PQC – Post-quantum cryptography used to secure research data qualifies as an indirect R&D activity because it supports the safe progress of the project
• Homomorphic encryption – Applying homomorphic encryption to protect sensitive datasets in testing is eligible as it enables compliant data handling during R&D
• Secure key management – Managing encryption keys for R&D environments counts as an indirect activity since it safeguards the systems that make research possible
• Pure mathematics – Development of new mathematical proofs or theories for post-quantum cryptography

Threat Detection & AI-Driven Security

Threat detection and AI-driven security is vital to innovation:

• Machine learning intrusion detection – Developing intrusion detection tools with machine learning qualifies as R&D because it tackles technological uncertainty in threat identification
• Anomaly detection – Creating new models to flag unusual patterns in data counts as R&D since it directly advances security technology
• SIEM improvements – Enhancing security information and event management systems is eligible where it involves resolving technical challenges in processing and analysing data
• Threat detection & AI-driven security – Data licenses may qualify if data is used to train anomaly detection or intrusion systems
• Endpoint detection and response (EDR) – Working on new cybersecurity solutions that detect and respond to threats on endpoint devices

Identity & Access Management (IAM) / Zero Trust

Identity and access management, and zero trust contribute to scientific development by helping to fuel the following:

• Biometric authentication – Building or refining biometric login systems qualifies as R&D when it involves solving technical challenges in accuracy and security
• Federated identity – Developing federated identity solutions is R&D if it addresses uncertainties in securely linking multiple systems
• Zero-trust orchestration – Designing zero-trust frameworks and orchestration tools counts as R&D where new methods are created to enforce access control

Cloud & Edge Security

Cloud and edge security fits the criteria for R&D by performing:

• Securing hybrid/multi-cloud systems – Strengthening security across hybrid or multi-cloud environments can qualify as R&D where it solves uncertainties in interoperability and data protection
• IoT edge defence – Developing defences for Internet of Things devices at the network edge is R&D if it involves new methods to prevent or detect threats
• Encrypted traffic optimisation – Creating techniques to analyse or optimise encrypted traffic without weakening security counts as R&D where it resolves complex technical challenges

Blockchain & Secure Audit Trails

Blockchain and secure audit trails help technology boom in the UK in these ways:

• Immutable logging – Creating systems for tamper-proof audit logs qualifies as R&D where it overcomes technical challenges in data integrity
• Blockchain-based incident reporting – Using blockchain to design secure, verifiable reporting processes is R&D if it resolves uncertainties in reliability and trust

Critical Infrastructure & OT Security

Critical infrastructure and OT security are something the government supports with R&D tax relief as they are useful for:

• SCADA/ICS security – Developing new ways to secure industrial control and SCADA systems qualifies as R&D when it addresses complex uncertainties in resilience and protection
• Real-time mitigation in operational systems – Creating techniques to detect and respond to threats in real time is R&D if it involves solving technological challenges in operational security

Privacy & Data Protection

Privacy and data protection are vital to technological advancement:

• Differential privacy – Designing methods that apply differential privacy qualifies as R&D where it resolves uncertainties in protecting sensitive data during analysis
• GDPR-aligned anonymisation – Creating anonymisation techniques that meet GDPR standards is R&D if it involves developing new approaches to regulatory compliance
• Privacy-preserving data sharing – Building systems that enable secure data sharing without exposing personal information counts as R&D when it overcomes technical privacy challenges
• SOC R&D – Activities within a security operations centre may qualify

Cybersecurity Work That Usually Doesn’t Qualify

Routine patching and software updates are considered standard IT tasks rather than R&D. Configuring off-the-shelf vendor products also does not meet R&D criteria. 

Meeting compliance frameworks such as ISO 27001 or Cyber Essentials is classed as business as usual, as is general IT and security maintenance, so you wouldn’t be able to claim for these costs either.

Case Study – A Successful R&D Claim for a Firm in Cybersecurity

A client in the cybersecurity sector developed innovative solutions to strengthen data security, including advanced encryption and secure payment technology. 

By tackling technological uncertainties in cryptography and compliance, their work qualified as R&D under HMRC’s guidelines. 

With our support, they successfully claimed R&D tax relief, recovering a substantial sum to reinvest into further innovation.

Evidence Cyber Firms Should Keep

It’s helpful to keep record and documentation of the following when claiming R&D for cybersecurity innovation:

1. Git commits and code repositories – Version control records that show experimentation, iteration, and technical problem-solving
2. Threat modelling documents – Written analysis demonstrating how potential vulnerabilities were explored during the R&D process
3. Benchmark logs and attack simulations – Evidence of testing, measuring performance, and simulating attacks to resolve uncertainties
4. Test harnesses and failure reports – Structured test setups and documented failures proving systematic investigation of technical challenges
5. Records of regulatory uncertainty – Notes or evidence where compliance requirements, such as GDPR, conflicted with technical feasibility

This will help your case if you’re asked by HMRC to provide evidence for your R&D claim.

Common Pitfalls in Cybersecurity R&D Claims

Some projects do not qualify for R&D tax credits. Be wary when claiming that you don’t accidentally make these common mistakes:

• Misclaiming pen-testing activities – Routine penetration testing is usually classed as standard security practice, not qualifying R&D
• Confusing operations with innovation – Day-to-day IT or security operations are not the same as advancing technology
• Claiming subcontracted overseas work without valid exemption – HMRC only allows overseas R&D costs in specific cases, so many claims are rejected
• Failing to document uncertainty or advance clearly – Without clear evidence of scientific or technological uncertainty, HMRC may deny the claim

What are the Steps to Claiming R&D for Cybersecurity Innovation?

 

Quick R&D Claim Checklist for Cybersecurity Firms

This cybersecurity R&D claim checklist can help you claim by ensuring you’ve accounted for all of your eligible R&D activities:

1. Does your project tackle a scientific or technological uncertainty?
2. Is the work carried out in one of the seven innovation areas listed above?
3. Can you show systematic experimentation (e.g. testing, modelling, trials)?
4. Do you have evidence of failures or iterations, not just successes?
5. Are you keeping detailed records (Git commits, test logs, technical notes)?
6. Is the work carried out by your company or a UK-based subcontractor?
7. Can you demonstrate that the project seeks an advance in technology, not just routine operations?

Review your claim before submission to make sure everything is correct – errors can lead to delays, rejections or penalties.

You must submit an additional information form (AIF). Tick off an additional information form checklist to ensure your form contains everything it needs.

Cybersecurity R&D Tax Credits in 2025 – FAQs

 

What is R&D Tax Credit for Cybersecurity?

R&D tax credit for cybersecurity is a UK government scheme that rewards qualifying businesses for their contributions towards innovation in tech and science with a tax cut or cash payment.  Cybersecurity falls into the category of software when it comes to R&D criteria, and often meets several qualifying criteria for the scheme.

Can Penetration Testing Qualify for R&D Tax Relief?

Penetration testing (a simulation cyber attack used to test vulnerabilities) is considered a ‘routine operation’, and does not qualify for R&D tax relief. This means it’s seen as an everyday activity, not one that contributes towards research and development.

Do Cloud Security Costs Qualify Under R&D?

The chancellor announced in the Autumn Budget 2021 that cloud computing costs are included as a qualifying cost. This means you can include cloud costs in your R&D claim.

How Does the Decision-Maker Rule Affect Cyber Firms?

Only the person or business that takes on the financial risk can claim for it according to HMRC rules.  This often means the client as opposed to a contractor who is developing the work.

What Evidence Do Cyber Firms Need for an R&D Claim?

Cyber firms need to prove that they are contributing to research and development, and provide evidence for all costs they claim for. You may be asked by HMRC to show systematic experimentation of testing, modelling and trials.

How Can Alexander Clifford Help My Claim?

Alexander Clifford can help get you the best R&D tax claim by building strong evidence of your qualifying activities and submitting a robust claim.

Get in touch to find out how you could receive cybersecurity R&D support from our specialists. Our service offers transparent fees, and we’ll defend your claim against any HMRC enquiries.